The Phisher Kings

Banks fight back against counterfeit e-mails and password thieves.

The high sophistication of "phishing" attacks - the use of counterfeit e-mails to steal passwords and other personal information - has caught even savvy Internet surfers unaware. "They look just like something your bank would send you," says Bill Harris, chairman of PassMark Security, LLC (Woodside, Calif.) and former CEO of Intuit and PayPal, of the phony e-mails. And if you click on the link in the e-mail, you're directed to a Web site that resembles the real thing - just long enough to enter your user ID and password.

Banks' dilemma: Warn (and consequently scare) customers, and you've just put a dent in your online channel. Say nothing, and the phishers run rampant. "The banks and the online players are in a real pickle," says Mark Goines, PassMark's chief marketing officer. "They don't know what to tell their customers." That's where several security-technology providers have come in, with solutions ranging from new authentication schemes to rapid-response teams.

Is This Your Child?

In order to help customers determine real bank sites from fakes, PassMark's approach assigns a low-resolution image to each customer - the first step in a multistep authentication process. When the user enters an ID or account number, the site responds by displaying the designated image. Only upon recognizing that image should the user enter a password. "Our research indicates that it takes people one or maybe two sign-ons to understand what this is about and to remember the image," says Goines.

Customers can also upload their own images, whether of grandchildren or pets. "Our patent filings cover text, audio, images, all sorts of things - any unique information," says Goines.

To protect against a "man-in-the-middle" attack, in which a fake site brokers messages between the user and the real site, PassMark will only send the image directly to computers for which it knows the device ID, which is stored both on a browser "cookie" and in its own database. People using unrecognized devices will be asked to register those devices, or to ascertain that they're using the correct URL. "If your main place of doing business is at home or work, we'll have device IDs associated with those computers," says Goines.

With in-house deployments and outsourced arrangements, PassMark hopes to launch a new industry standard for authentication, by virtue of its technology and its patent claims. "For the large institutions with millions of users, we're talking pennies per PassMark per year," says Goines.

The Real Emmitt Smith

The concept does have its precedents, such as the MasterCard SecureCode and "Verified by Visa" programs. In place since 2001, these implementations of the "3-D Secure" protocol allow cardholders to set a PIN for online card usage. But before the issuing bank asks for the PIN, it first presents a "personal message" selected by the customer for authentication purposes.

Both merchants and consumers are warming to the technology, says Naftali Bennett, CEO of Cyota (New York), which handles 83 percent of global Verified-by-Visa volume. "It's getting very good enrollment rates," Bennett says.

As for the phishing problem, Cyota has put together an anti-fraud command center to provide assistance in coping with an attack. "We're now seeing all of the phishing attacks, across the board, in real time," says Bennett.

Upon seeing an attack, Cyota will notify the bank immediately. About 30 minutes later, Cyota will provide an assessment that notes the scope of the phishing expedition and a damage estimate. "We've developed [a system] to ultimately tell the bank how many people have been hit," says Bennett. Additionally, Cyota offers proprietary countermeasures. "We've developed some very aggressive, proactive tools which help a bank to minimize the impact of an attack after it has happened," explains Bennett. "It also dramatically increases the deterrence against the fraudsters."

"We've been working with about 15 different large banks in the U.K. and the U.S., and this mechanism has really struck a note with all of them," adds Bennett. "It's not two years from now, it's not educating half the world to do something different or to digitally sign things or to use smart cards or who knows what - it's something that can be used tonight if there's an attack."